Bitcoin Forum
November 02, 2024, 07:46:36 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Money was stolen out of my localbitcoins account  (Read 2448 times)
keithers
Legendary
*
Offline Offline

Activity: 1456
Merit: 1001


This is the land of wolves now & you're not a wolf


View Profile
September 07, 2014, 05:17:17 AM
 #21

it is very possible that your bitcoins were stolen because you logged into a fake localbitcoins site by accident and the site recorded your name and password.

The scammers pay for an ad on google and when people type "localbitcoins" into google, the fake site is listed first because it is a paid ad. People click on the ad and log in because it looks just like the real site.


I have heard of this happening more and more, and this is terrible.   It is especially bad because for BTC to be adopted mainstream, we want more and more new people using BTC daily.   I think it should be stickied somewhere on this forum, how to report phishing sites, and we all should be more pro-active in helping try to stop it...
reg
Sr. Member
****
Offline Offline

Activity: 463
Merit: 250


View Profile
September 07, 2014, 09:43:37 AM
 #22

You might have clicked on a phising link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.
2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

Yes but I don't think this applies to LBC, which is the case with OP. You need 2FA to log in, withdraw coins, or release coins from escrow. Basically anything that involves movement of coins needs 2FA. To disable the 2FA, you'd have to have access to it in the first place.

you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.
haploid23
Legendary
*
Offline Offline

Activity: 812
Merit: 1002



View Profile WWW
September 07, 2014, 10:01:27 AM
 #23

you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.

Yes, you do need 2FA to release from escrow. At least on my account you need that. I just checked and there was no option to choose when 2FA will be used.

CaMeRoNy
Full Member
***
Offline Offline

Activity: 630
Merit: 103



View Profile
September 07, 2014, 10:07:13 AM
 #24

Seems like he scammed too many people lol

master-P
Hero Member
*****
Offline Offline

Activity: 868
Merit: 1001


https://keybase.io/masterp FREE Escrow Service


View Profile WWW
September 07, 2014, 03:13:21 PM
 #25

You might have clicked on a phising link a while back and the scammer just waits dormant until you have a large transaction. Why didn't you activate 2FA? It would prevent this kind of stuff. You can even give out your user name and PW, but no one will be able to withdraw unless they have your personal device.
2FA does not work quite that well (at least not all the time). There are always potential ways around 2FA on websites. I would consider it to be reckless if someone is careless about their password simply because 2FA is enabled. 2FA should only be an additional security method, not the only security measure.

Two Factor Authentication (2FA) is the best thing since sliced bread.  It almost makes choosing a password trivial, the additional security that you gain almost makes passwords obsolete.

Neil

What if your phone gets stolen? If you have a weak password then the person who has your phone would essentially be able to access any of your accounts.

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Master-P's Free Escrow Service | 1% Fee for Multi-Party/Sig Campaigns | I Sign ALL of my addresses using PGP Key: https://keybase.io/masterp Verify
Tipping Address: 14PUWBwK854GLenxSa7MAuxXQUXK4DKKi5 | E-mail: masterp.bitcointalk {at} gmail {dot} com (for when/if the forum's offline)
Guide on How to Sign a Message
Kupsi
Legendary
*
Offline Offline

Activity: 1193
Merit: 1003


9.9.2012: I predict that single digits... <- FAIL


View Profile
September 07, 2014, 03:19:42 PM
 #26

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Take a print screen of the QR-code as a backup when enabling 2FA. Then you can use this to configure your new phone.
itsAj
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
September 07, 2014, 05:30:58 PM
 #27

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Take a print screen of the QR-code as a backup when enabling 2FA. Then you can use this to configure your new phone.
Wouldn't this essentially make this screen print/picture essentially as good as your password? If someone were to get a hold of this screen print they could essentially configure their own phone to be a 2FA device on the account. 
MineForeman.com
Legendary
*
Offline Offline

Activity: 896
Merit: 1000



View Profile WWW
September 07, 2014, 08:48:42 PM
 #28

What if your phone gets stolen? If you have a weak password then the person who has your phone would essentially be able to access any of your accounts.

What if you lose your phone? You would essentially be locked out of your accounts unless there was some way to disable it without knowing the 2FA code.

Both valid points and reasons why there is still a password in the mix, neither of them are a good reason not to use 2FA though.

If you did a very unscientific search on this board queering posts about people who have had their account hacked* I imagine you will find none of them had 2FA enabled, it is that good at protecting your goodies.

* I hate using hacked in this context, I am old enough to still think of it in it's original context before any Angelina Jolie feel good pubescent teen movie.

Bitcoin News http://mineforeman.com/ || MinePeon - Bitcoin mining on the Raspberry PI http://mineforeman.com/minepeon/ || MinePeon Wiki http://minepeon.com/ || MinePeon Forums http://minepeon.com/forums/
BittBurger
Hero Member
*****
Offline Offline

Activity: 924
Merit: 1001


View Profile
September 07, 2014, 09:15:09 PM
 #29


And when you contacted LBC customer support, they said.... Huh?



Ya.   Should have been done before creating this thread.   Probably wasn't.

-B-

Owner: "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
View it on the Blockchain | Genesis Block Newspaper Copies
dankkk
Sr. Member
****
Offline Offline

Activity: 308
Merit: 250



View Profile
September 07, 2014, 09:39:35 PM
 #30

you need 2fa to log in and withdraw coins but not to release from escrow. that is the prerogative 0f the seller/buyer.

Yes, you do need 2FA to release from escrow. At least on my account you need that. I just checked and there was no option to choose when 2FA will be used.
In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code they know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.
MineForeman.com
Legendary
*
Offline Offline

Activity: 896
Merit: 1000



View Profile WWW
September 07, 2014, 10:17:38 PM
 #31

In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code they know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil

Bitcoin News http://mineforeman.com/ || MinePeon - Bitcoin mining on the Raspberry PI http://mineforeman.com/minepeon/ || MinePeon Wiki http://minepeon.com/ || MinePeon Forums http://minepeon.com/forums/
Magicman420 (OP)
Sr. Member
****
Offline Offline

Activity: 309
Merit: 250


View Profile
September 08, 2014, 04:50:33 AM
 #32


And when you contacted LBC customer support, they said.... Huh?



Ya.   Should have been done before creating this thread.   Probably wasn't.

-B-


 LBC Told me there was nothing  they can do.. I'm almost 99.9 percent sure I didn't click a phishing link.. Says my account was failed login 22 times yesterday... If he had my password then there wouldn't be 20 failed login across the us something isn't adding up.. Don't wanna bash LBC.. but someone is hacking there shit and they will never admit it.. And I'm out 435 bucks :/
leannemckim46
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
September 08, 2014, 05:31:05 AM
 #33

In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code th]ey know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
From this thread.
Quote
Rather than offering you cellphone service, the towers appear to be connecting to nearby phones, bypassing their encryption, and either tapping calls or reading texts
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.

██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
RISE
MineForeman.com
Legendary
*
Offline Offline

Activity: 896
Merit: 1000



View Profile WWW
September 08, 2014, 07:11:46 AM
 #34

In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code th]ey know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
From this thread.
Quote
Rather than offering you cellphone service, the towers appear to be connecting to nearby phones, bypassing their encryption, and either tapping calls or reading texts
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.


No, no, no, no.  All misinformation.

The cell phone tower has absolutely nothing to do with your phone and it talking to an encrypted service, they cannot turn it off, it is all FUD!!

The 2FA code is not sent via sms (I know a few services do that, but this one, like most does not) and it cannot be intercepted.

Neil

Bitcoin News http://mineforeman.com/ || MinePeon - Bitcoin mining on the Raspberry PI http://mineforeman.com/minepeon/ || MinePeon Wiki http://minepeon.com/ || MinePeon Forums http://minepeon.com/forums/
haploid23
Legendary
*
Offline Offline

Activity: 812
Merit: 1002



View Profile WWW
September 08, 2014, 07:46:50 AM
 #35

LBC Told me there was nothing  they can do.. I'm almost 99.9 percent sure I didn't click a phishing link.. Says my account was failed login 22 times yesterday... If he had my password then there wouldn't be 20 failed login across the us something isn't adding up.. Don't wanna bash LBC.. but someone is hacking there shit and they will never admit it.. And I'm out 435 bucks :/

I didn't expect LBC to do anything about this. It's 100% user fault. Imagine if every time you lost your coins and they had to reimburse you; this opens a lot of opportunity for abuse.

It only took 20 tries to log in? That's some weaksauce password. It's more likely that the thief already had your PW and tried variations to hit the correct one.

leannemckim46
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
September 08, 2014, 11:47:28 PM
 #36

In theory, someone could use one of those cell towers that are meant to spy on people using the cell tower. (there is a thread in politics and society about this). The attacker could make it so your cell phone does not use encryption, requests a 2FA code th]ey know will be delivered to your phone and then intercept the code, and not deliver it to your phone. If they know your account credentials then they would have access to your account.

No they could not.

First, they could not disable encryption on your phone.  They would require root access to do that.

Second, even if they did that they could not "intercept" your 2FA code.  That 2FA code is not generated from a server somewhere to be intercepted, it is generated by your phone using a time based code.

Neil
From this thread.
Quote
Rather than offering you cellphone service, the towers appear to be connecting to nearby phones, bypassing their encryption, and either tapping calls or reading texts
If the tower does not accept encryption then encryption will not be used. This is similar to doing trades in the marketplace, if the seller does not accept escrow, then escrow will not be used, in the marketplace the buyer can simply decline the transaction, however cell phones are setup so that they will connect to the closest tower/tower with the strongest signal.

If the 2FA code was sent via text message, then the tower could read the unencrypted text message and not relay the message to the cell phone.


No, no, no, no.  All misinformation.

The cell phone tower has absolutely nothing to do with your phone and it talking to an encrypted service, they cannot turn it off, it is all FUD!!

The 2FA code is not sent via sms (I know a few services do that, but this one, like most does not) and it cannot be intercepted.

Neil
I believe that LBC does use SMS to send their 2FA code to user's phones. I think a lot of other sites will send 2FA codes the same way. This prevents the site from locking you out if you lose and replace your phone with the same phone number.

██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
██████████████████████
RISE
keithers
Legendary
*
Offline Offline

Activity: 1456
Merit: 1001


This is the land of wolves now & you're not a wolf


View Profile
September 09, 2014, 04:12:40 AM
 #37

install firewall, antivirus and antimaleware. update all. scan.

deinstall all shitty mining progs or free bitcoin generators.

I would go out on a limb and say that at least 80% of people that have installed a bitcoin generator have probably had their BTC stolen shortly after.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!